What updates were included in SAP's June 2024 Security Patch Day?

On June 2024 Security Patch Day, SAP released ten new and two updated security notes. The updates included patches for various vulnerabilities across multiple SAP products.

What are the high-priority security notes from SAP's June 2024 updates?

The high-priority security notes include: 1. CVE-2024-37177 (CVSS score 8.1) - Cross-Site Scripting (XSS) in Financial Consolidation: This note addresses two XSS vulnerabilities in SAP’s Financial Consolidation product. The more critical vulnerability allows data from an untrusted source to manipulate website content, posing significant risks to the application's confidentiality and integrity. 2. CVE-2024-34688 (CVSS score 7.5) - Denial-of-Service (DoS) in SAP NetWeaver AS Java: This vulnerability impacts the Meta Model Repository services in SAP NetWeaver AS Java, allowing attackers to cause DoS conditions and render the application unusable for legitimate users.

What other medium-severity vulnerabilities were addressed in the SAP June 2024 updates?

The medium-severity vulnerabilities addressed include: 1. CVE-2024-33001 (CVSS score 6.5) - Denial of Service (DoS) in SAP NetWeaver and ABAP platform 2. CVE-2024-34683 (CVSS score 6.5) - Unrestricted file upload in SAP Document Builder (HTTP service) 3. CVE-2024-34691 (CVSS score 6.5) - Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) 4. CVE-2024-34686 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) 5. CVE-2024-32733 (CVSS score 6.1) - Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform 6. CVE-2024-37176 (CVSS score 5.5) - Missing Authorization check in SAP BW/4HANA Transformation and DTP 7. CVE-2024-34690 (CVSS score 5.4) - Missing Authorization check in SAP Student Life Cycle Management (SLcM) 8. CVE-2024-28164 (CVSS score 5.3) - Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) 9. CVE-2024-34684 (CVSS score 3.7) - Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) 10. CVE-2024-33000 (CVSS score 3.5) - Missing Authorization check in SAP Bank Account Management

Advisory

SAP June 2024 patch day fixes multiple issues, high severity in Financial Consolidation, NetWeaver

published: June 11, 2024

Take action: There are no panic mode patches for this month, but a review is warranted for SAP Financial Consolidation and SAP NetWeaver.

Learn More

On June 2024 Security Patch Day, SAP releaseд ten new and two updated security notes. The updates include patches for various vulnerabilities across multiple SAP products.

High-Priority Security Notes

CVE-2024-37177 (CVSS score 8.1) - Cross-Site Scripting (XSS) in Financial Consolidation - This security note addresses two XSS vulnerabilities in SAP’s Financial Consolidation product. The more critical vulnerability allows data to enter a web application from an untrusted source, potentially manipulating website content. This poses significant risks to the confidentiality and integrity of the application.
CVE-2024-34688 (CVSS score 7.5) - Denial-of-Service (DoS) in SAP NetWeaver AS Java - This vulnerability impacts the Meta Model Repository services in SAP NetWeaver AS Java. Due to unrestricted access to these services, attackers can cause DoS conditions, rendering the application unusable for legitimate users. DoS conditions preventing legitimate user access.

Other security notes address medium-severity vulnerabilities in the following SAP products:

CVE-2024-33001, (CVSS score 6.5), Denial of service (DOS) in SAP NetWeaver and ABAP platform
CVE-2024-34683, (CVSS score 6.5), Unrestricted file upload in SAP Document Builder (HTTP service)
CVE-2024-34691, (CVSS score 6.5), Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
CVE-2024-34686, (CVSS score 6.1), Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
CVE-2024-32733, (CVSS score 6.1), Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
CVE-2024-37176, (CVSS score 5.5), Missing Authorization check in SAP BW/4HANA Transformation and DTP
CVE-2024-34690, (CVSS score 5.4), Missing Authorization check in SAP Student Life Cycle Management (SLcM)
CVE-2024-28164, (CVSS score 5.3), Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures)
CVE-2024-34684, (CVSS score 3.7), Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
CVE-2024-33000, (CVSS score 3.5), Missing Authorization check in SAP Bank Account Management

SAP June 2024 patch day fixes multiple issues, high severity in Financial Consolidation, NetWeaver

Read More
JWT signature verification bypass enables account takeover in …
Oracle releases emergency patch for E-Business Suite as …
Adobe fixes ColdFusion arbitrary file read vulnerability
Atlassian Confluence patches high severity flaw with published …
SAP Security Patch Day April 2026: Critical SQL …